The Iron Triangle of Service suggests that a product can be good, fast, or cheap—but not all three. That adage has taken on new meaning in the world of instant payments, where speed has often come at the expense of fraud detection. Is it possible to deliver payments that are both fast and secure, or must financial institutions choose one over the other?
A new report from Javelin Strategy & Research, Foolproof Payments: How AI Is Revolutionizing Payment Fraud, explores that question in the age of artificial intelligence. In the study, Jennifer Pitt, Senior Analyst of Fraud Management, examines where fraud prevention processes have fallen short and how banks can use AI to strengthen payment oversight.
No Time for Suspicion
In the past, organizations had at least some time to evaluate a payment as it moved through the system. Check transactions, for example, can take several days to clear, with multiple institutions involved that can intervene if something suspicious arises.
Real-time payments eliminate that buffer. Once a payment is sent, it’s gone. While a bank may later reimburse a customer or dispute the transactions as fraud, it no longer has the option to simply stop the payment before it settles.
Consumers have come to expect faster payments. At the same time, many understand that effective fraud prevention may require some friction—small steps to ensure they are not being victimized and are not unintentionally committing fraud. Educating consumers about the necessity of that friction is important, but so is striking the right balance. In fact, some early real-time payments prioritized speed over security. Many, including Zelle and Cash App, have since shifted course to strengthen fraud protections.
Signs of Fraud
With real-time payments, the key is identifying potential fraud before the customer clicks “yes” and completes the transaction. That requires analyzing historical and behavioral data: device intelligence, account activity patterns, and user behavior. Is the device being held differently? Is the login occurring from an unusual location? Are there sudden changes to account credentials?
Consider account takeover fraud. A criminal may first log in, then change some account details—adding a new email address or username. The next logical step is initiating a transaction. If that suspicious activity is flagged and stopped early, the fraudulent payment never occurs. That is the new frontier in payment fraud prevention: shifting from stopping fraud at the transaction level to preventing it before a payment is ever initiated.
“Consumers can’t wait a week to make transactions, but organizations need to make sure that their customer is a legitimate customer, not a bad actor, and that we’re protecting those customers from fraud,” said Pitt. “AI tools can look at things like behavior, customer device intelligence, and looking at historical information can help speed that up.”
Making Authentication Work
Authentication inevitably introduces friction. Asking a customer to retrieve a code from their phone or email adds steps to the process. FIs need to make that friction as seamless as possible, minimizing unnecessary hoops. Technologies such as passkeys and biometrics can replace cumbersome multi-step verification processes that require users to move between devices and applications.
“Financial institutions can introduce barriers like step-up authentication if there’s a higher risk that’s flagged,” said Pitt. “If I log into my account every day from Switzerland for 20 years, then one day I log in from Taiwan, that could be normal. I could have moved, but I didn’t tell the organization. So now they might do a step-up where I have to do another authentication to make sure that it’s me, then they would verify the new location.”
The Criminals’ Advantages
Banks and financial institutions must comply with privacy and security regulations while also avoiding excessive customer friction. Criminals face no such limitations.
On top of that, criminals are evolving rapidly with the help of AI. As AI capabilities advance, criminals are using these tools in real time, refining their tactics and making yesterday’s schemes even easier to execute today.
Banks, by contrast, often must navigate approvals, bureaucracy, and red tape, By the time new safeguards are implemented, they may be respondent to last year’s fraud trends. Focusing solely on the threats directly in front of them ensures a perpetually reactive strategy.
AI offers FIs a way to close that gap. While banks may never stay fully ahead of criminals, advanced AI tools can help them keep pace, and in some cases, anticipate emerging threats.
“There’s a lot of attention now on mobile check deposit fraud,” said Pitt. “Well, we should have known that 20 years ago when we had physical checks and moved to mobile deposit. We focus on the fraud that we see, not the potential fraud, and we need to shift our thinking. It’s like a triage patient—you have to stop the bleeding right there, but you have all these other patients coming in. We only address the immediate fraud that we have in front of us, and we never plug the hole.”
Pay Now, or Pay Later
One of the ways in which banks can be more effective is by reallocating resources. Many banks still rely heavily on manual reviews, generating overwhelming volumes of alerts—often with false positives as high as 99%. Human teams spend a lot of time investigating benign activity instead of focusing on actual threats. By using technology to filter routine alerts more accurately, FIs can deploy personnel toward deeper investigations, rather than chasing false leads.
“It’s legacy technology that flags some of these alerts rather than using the proactive real time detection,” said Pitt. “We get the pushback that it is cost prohibitive, but as I always say, you’re going to pay on the on either end somehow. You’ll pay on the front end for the technology, or you’re going to pay on the back end for more personnel, consent orders and fines or fraud. There are things in the industry we should have been able to anticipate that we didn’t, like enumeration attacks or check fraud.
“We need to start looking at the entire landscape and seeing how we can better detect some of this. And we need to start thinking like fraudsters. If I were a bad guy, what would I do? Where’s the hole in the organization? Let’s fill that!”
